Re: Best way to block access by url and valid referrer?

Rt_Ibmer · April 29, 2008, 10:33pm

According to RFC2616:
"14.36 Referer
The Referer[sic] request-header field allows the client to specify, for the
If you have control on abc, def… try using a more robust method that a simple

Thank you for your concern and pointing this out. I should have
mentioned that I am aware of the limitations of this approach and that
the referrer can be absent or easily faked.

However I do not have control over the GET requests coming in. Basically
we give our users an id=accountX string and only want to provide the
requested content if they embed the link to us within their web site for
which we allow such usage (as deemed from the referrer).

Although they can easily fake the referrer it will not do them much good
to do so because they will want to link to our user’s web site, and
unless they instruct their web site users to take special measures to
hide or forge their referrer (this would not be worth it for them
anyway) then this method should be sufficient

So assuming that its “good enough” for me to rely on matching their
account id to a referrer what would you say is the best way to do what I
was inquiring about in my original message on the subject?

If you use a POST or a GET you should be able to develop a specific Nginx module
to avoid thousands of regex and without need to call your application.

In light of my response above do you still think that is the best way to
go? Basically I’d create a module so that I could do something like add
a “authenticate” directive (something I made up that my module looks
for) to one “location” block, and then enforce all that logic from my
custom module?

That certainly seems like a more efficient way of doing it since I won’t
have to define thousands of “location” blocks. Although I imagine the
processing speed won’t be much different, as it’ll still have to do
thousands of regex comparisons. Well, then again maybe it wouldn’t - I
could probably take their account id from the query string and use it
for a hash lookup to acess a string of valid referrers and compare
that…?

Thank you.

  ____________________________________________________________________________________

Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

Rt_Ibmer · April 29, 2008, 11:06pm

Rt Ibmer <[email protected]…> writes:

So assuming that its “good enough” for me to rely on matching their
account id to a referrer what would you say is the best way to do what I
was
inquiring about in my original message on the subject?

I don’t think think there’s a good solution. If you don’t want a huge
config
file to maintain (I agree) you still need to store and query data to
ensure if
access is allowed or not, but as Nginx is an asynchronous server you
will block
all connections during these tests even if you code a specific module.

If you cannot modify the referring links I believe you can use the
configuration
file using includes generated by a script to avoid database or ldap
queries when
Nginx is running.

It’s not a nice or efficient solution, but given the workflow I don’t
see
something better right now.

Best regards.